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(57) Abstract 

Method, apparatus, memory 
card, and system for establishing a 
secure connection between a wireless 
communication apparatus and a data 
communication apparatus based on 
ireless application protocol. The 
vviieless communication apparatus 
is provided with contact means for 
receiving information from a separate 
unit provided with memory means. 
The memory means comprising 
information to control the access of 
the wireless communication apparatus 
through a wireless communication 
network connected to said data 
communication apparatus. 
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Secure session set up based on the Wireless Application Protocol. 

5 

Technical Field of the Invention 

The Wireless Application Protocol (WAP) defines an industry-wide 
specification for developing applications that operate over wireless 
communication networks. The wireless market is growing very quickly, and 
10 reaching new customers and services. To enable operators and 
manufacturers to meet the challenges in advanced services, differentiation 
and fast/flexible service creation a set of protocols has been designed in 
transport, security, transaction, session and application layers. 

15 Background of the invention 

WAP security functionality includes the Wireless Transport Layer Security 
(WAPWTLS) and application level security, accessible using Wireless Markup 
Language Script (WMLScript). For optimum security, some parts of the 
security functionality need to be performed by a tamper-resistant device, so 

20 that an attacker cannot retrieve sensitive data. Such data is especially the 
permanent private keys used in WTLS handshake with client authentication, 
and for making application level electronic signatures (such as confirming an 
application level transaction). In WTLS, also master keys (master secrets) are 
relatively long living - which could be several days - this is in order to avoid 

25 frequent full handshakes which are quite heavy both computationally and due 
to relatively large data transfer. Master secrets are used as a source of 
entropy, to calculate MAC keys and message encryption keys which are used 
to secure a limited number of messages, depending on usage of WTLS. 
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'.T'T'' °' ^ — oo.™nlca.ion session 

b ^ en co^nicion un«s, such as pKones or ,acs..„e JchI s 
The secure session is controlled by seoarat^ <;m.rt ^ u ""^^"'"^s- 

•^u uy separate smart cards baqpH x/^^rif;^^*- 

unl. assoce. .,H a .especlve one o. .e co.™nicaJ ZTZ 
venf,ca.,on u„«s exchanpes .nCo. number, e„c^p.s .Hese nuLln 
-09 p.„a.e .e.. «,„.s .e enc.p,e. .n.o. nu..e. .o 
Then «,e encrypted .ndom number is decrypted based on pub„c keys ,"1' 
rece,ved numbers corresponds to the transn,«ed numbers the iTve 
each other an the se.re session may .a.e piace. However, .rCrrt" 
bo h communrcation un«s are provided w«h a smart card reader, w ich s no 
a necessary reguiremen. in a server, like e.g. an internet server Th s , 
ocument is ,u„e resthcting ,or the user, since n requires that borpa^ 
h^^ smart card reader, and is less suitable tor communication betJee 
2'-s communicatton apparatus and a data communication appajus 
Aiso. every .,me a session is going to be established betweenThetl' 
oommun,ca«on apparatuses, an exchange o, Keys must be done. 

Also, US-A-5,37t,794. by Sun Microsystems, discloses a way to provldino a 

secure Wireless communication linK between a mobile nomadi devrj 

base computing un«. The mobile device sends a host cert«c^e to he bas 

along With a randomly chosen challenge value (CH1, and . , , 

Shared Key algodthms. The base sends ..ndom nuler (R,^ 

.He mobile, public Key and an lden.,«er tor .he chTsra ^ -TT 

™*. The base saves the KN, value and adds 

c osen a,go.hm.othe mobile. The mobile veri„es underthe public Key :: 

base .He s,gna.ure on the message. When *e public Key is verified the 

mob, e determines the value o, RN1 by dec^pting the publL Key u2r th 

Pnvate Key of the mobile. The mobile then generates RN2 and a sess on kI J 

verifies and decrypting the RN2 and ■ 

9 RN2, and detemnines the session key. Finally, the 
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mobile and the base can enter a data transfer phase using encrypted data 
which is decrypted using the session key which is RN1 + RN2. The values of 
RN1 and RN2 are always derived from the last key exchange, which may be 
from the initial connection setup or from the last key change message, 
5 whichever is more recent. This means that each time a data transfer is made, 
two new numbers is generated based on RN1 and RN2, which will make the 
data transfer quite slow. Thus, as in US-A-5,307,411 , every time a session is 
going to be established between the two apparatusevS, in this case the mobile 
nomadic device and the base computing unit, an exchange of keys must be 
10 done. 

Summary of the Invention 

The main object of the present invention is to establish a secure connection 
between a wireless communication apparatus and a data communication 
15 apparatus based on a wireless application protocol. 

Another object is to enable the user to re-establish a secure at a later 
occasion, since establishing a secure connection is a heavy procedure both 
computationally and due to intensive data transfer. That is why, there is a 
20 need to use the mutually agreed master secret for a relatively long time. The 
problem is to store the master key in a secure way. Partly due to that problem, 
it is common practice to restrict the lifecycle of the master secret and the 
associated secure session to e.g., 24 hours, after which it is required to 
perform the heavy key establishment procedure a new. 

25 

The main object is achieved in accordance with the present invention by 
connecting a wireless communication apparatus, e.g. a cellular phone, to a 
separate unit. e.g. a smart card, a SIM (Subscriber Identity Module) card, etc., 
which may store sensitive data of a secure connection. This means that the 
30 wireless communication apparatus having some kind of contact means, for 
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example w.eless (e.g. i„,..,ed, radio frecuency, etc.) or physical (i.e an 
elecnca, oontaC). for receiving i„,o„r,a,ion from the separate unit, i.e ,he unit 
■s provided With .emory means. The memory means comprises information 
.o control an access of the wireless communication apparatus through a 
wireless communication network, e.g. a cellular phone network, connected to 
a data communicauon apparatus, e.g. a server, which supports a Wireles. 
Application Protocol (WAP). 

one advantage of using a separate unit, when establishing a secu^ 
connection, is that it will be much easier to re-establish a connection to the 
data communication apparatus. Thus, It is possible to save infonnation eg 
signatures, secret keys, etc., in the memory means, and may re-used in 
another secure connection. In order to avoid fraud, the re-use of a secure 
oonnecuon can be restricted for limbed period of time. By saving this 
.nfomnation in the memory means the second object will be achieved. 

Another advantage is that the user pays less when re-establishing a secure 
session, ,n case of the necessary infom,ation to re-establishing is saved. 

To establish a connecBon, the wireless communicatk>n apparatus connects ,o 
he separate unit, accessing the wireless communication network connected 
to sa,d data communication apparatus. Then the wireless communication 
appaiatus transmits a request to the data communication apparatus This 
request comprises infomtation of which pre-defined algorithm(s) the wireless 
communication apparatus supports. When the data communication apparatus 
receives this request, it chooses a. leas, one algorithm, assodated w«h a 
public key and a private key, and transmNs a message back to the wii^less 
communication apparatus. This message comprises the public key and 
.nfon^ation about which algorithm the data communication apparatus has 
chosen. When the wireless communication apparatus receives the message 
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comprising the public key, it will generate a master secret code, and 
calculates a signature based on the chosen algorithm, the public key and the 
master secret code. Thereafter, the wireless communication apparatus will 
transmit a respond to the data communication apparatus. This respond 
5 comprises the calculated signature. When the data communication apparatus 
receives the respond, comprising the signature, it will calculate the master 
secret code based on the chosen algorithm, the signature received, and the 
private key. Finally, the data communication apparatus wilt be able to 
establish a secure connection to the wireless communication apparatus. 



Further advantages of the vane arrangement according to the present 
invention will be apparent from the dependent claims. 

15 

Brief Description of the Drawing 

Fig. 1 schematically illustrates a preferred embodiment of a hand portable 
phone according to the invention. 

20 

Fig. 2 schematically shows the essential parts of a telephone for 
communication with a cellular or cordless network. 

Fig. 3 schematically shows how the secure session is set up between a client 
25 /phone and a server according to the invention. 

Fig. 4 illustrates the message structure for setting up a secure connection 
according to the invention. 

30 Detailed Description of Embodiments 
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2 l e " r °' ^ """"^ to *e invention, 

and „ «,,„ be seen .ha. .he phone, which is gene,.„y designated by 1 

a speaker 5, and a microphone 6. The phone 1 according .o .he pre J^' 
n,.>o .men. is adap.ed ,or co..unica.ion via a ceiiuiar ne..orK, L I" 
have ..en designed for a cordless ne.work as we,,. The Keypad 2 has a fir! 
.ro.p r o, Keys as a,phanun.enc Keys, by means o. which .he user 1 2 
a .e, Phone number, wh.e a .ex, message (SMS,, w^e a name (assoaa" d 
w,.h he Phone number,, e.c. Each of .he .we,ve a,phanumeHc ,^7 ^ 
provided wi.h a „gure "O-S- or a s^n or », respeciveiy. ,n a.pHa m d 
Key ,s associated w«h a number o. ie«ers and specie, signs used : e. 



The Keypad 2 add«iona„y comprises hvo soft Keys 8, .wo ca„ handling Keys 9 
15 and a navigation l<ey 10. ^ ' 

Z\T ^IT ' ' .0 wha. is Known from 

e Phones NoKia 21 .0~, .oKia 81 .0- and NoKia 38,0~. The n.nc«ona,i.y : 
.he soft Key depends on .he sU.e o„he phone and «,e navigation in .he menu 
20 by using a naviga«on Key. The present nincttona,ity of the soft Ke s 8 
shown ,n separate fields In the display 3 jus. above .he Keys 8. 

The h^o can handling Keys 9 according .o .he preferred embodimen. are used 

The navigation Key 10 is an up/down Key and Is placed centrally on the front 

30 ,h K '° '<«^ *umb This is 

30 .he bes. s,e .o place an Inpu. Key re<,u.ng precise mo.or movemen.s. 1; 
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experienced phone users are used to one-hand handling. They place the 
phone in the hand between the finger tips and the palm of the hand. Hereby 
the thumb is free for inputting information. 

5 Fig. 2 schematically shows the most important parts of a preferred 
embodiment of the phone, said parts being essential to the understanding of 
the invention. The preferred embodiment of the phone of the invention is 
adapted for use in connection with the GSM network, but, of course, the 
invention may also be applied in connection with other phone networks, such 

10 as cellular networks and various forms of cordless phone systems or in dual 
band phones accessing sets of these systems/networks. The microphone 6 
records the user's speech, and the analog signals formed thereby are A/D 
converted in an A/D converter (not shown) before the speech Is encoded in 
an audio part 14. The encoded speech signal is transferred to the controller 

15 18, which i.a. supports the GSM terminal software. The controller 18 also 
forms the interface to the peripheral units of the apparatus, including a RAM 
memory 17a and a Flash ROM memory 17b, a SIM card 16, the display 3 and 
the keypad 2 (as well as data, power supply, etc.). The controller 18 
communicates with the transmitter/receiver circuit 19. The audio part 14 

20 speech-decodes the signal, which is transferred from the controller 18 to the 
earpiece 5 via an D/A converter (not shown). 

The controller 18 is connected to the user interface. Thus, it is the controller 
18 which monitors the activity in the phone and controls the display 3 in 
25 response thereto. 

Therefore, it is the controller 18 which detects the occurrence of a state 
change event and changes the state of the phone and thus the display text. A 
state change event may be caused by the user when he activates the keypad 
30 including the navigation key 10, and this type of events is called entry events 
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o user events. However, .he ne^vo^ co.™nica.ir,g with .he phone n,ay 
^so cause a s.a.e change event This .ype o, even, and o.her even.s be.on 
me user s con.™, are called non user even.s. Non user even.s con, hse 
s.au.s Change during call se.-up, change In ba«ery vol.age, change in 
> amenna condMons, message on reception of SMS. e.c. 

An exarnple Of a tamper-resistant device Is a smart csr. (SC). In .he phone I. 
can be *e Subscriber Identic- Module (SIM) or an external smar. card. ' 

The way Which a phone and a smart card Interact Is speclfled as a command- 
response protocol. The goal o, *is protocol is to provide means for a WAP 
handset to utilize smart cards in per,om,ing WTLS and application level 
secunty functions. The functionaiity presented here is based on the 
rec,u,rement that sens«ive data, especially Keys, can be stored In .he card 
and all operations where these key are involved can be performed in the cart)' 
Drtferent classes of the cartis are introduced in or^er to define how widely the 
functionality is implemented. 

This specificafcn is based on IS07816 series of stendartis on smart cards In 
part,cu,ar, n uses *e ,S07816^ s.andart. (draft, [,S07816-8,. When this 

related GSM specificatrons [GSM1 1 .1 1J, where applicable. 

Aocordii^g ,0 the Invention the smart card 16 Is used to enhance secunty of 
.he implementation of the Security Layer and certain functions of the 
APP .ca.K>n Layer. The smart card 16 can be used for several purposes for 
WTLS The mapr purpose of tt,e smart card 16 Is .o perfom, cryp.ographic 
opera.,ons during .he handshake, espedally when .he handshake is uLd fo 
Chen. au*en.icatlon. Furthennore the memory of the smart card ,6 is used for 
secunng a master secre., a public key and o.her .ype of confidential material 
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during long-living WTLS sessions. Finally the mennory of the smart card 16 is 
used for recording the level security of the sessions. According to the 
invention the WTLS support in a smart card 16 can be described with 
reference to the following three embodiments. 

5 

First embodiment. 

According to this embodiment, the smart card 16 is used for storage of 
permanent, typically certified, private keys and for performing operations 
using these keys. The operations includes signing operation (e.g., ECDSA or 
10 RSA) for client authentication when needed for the selected handshake 
scheme; key exchange operation using a fixed client key (e.g., ECDH key. in 
ECDH_ECDSA handshake). 

The smart card 16 is not required to perform the calculation of the master 
15 secret or operations using the master key. These calculations may 
advantageously be performed by the controller 18 of the phone. However, the 
smart card 16 may act as a persistent storage for WTLS secure session (and 
connection) data, including master secrets. In this case, master secrets would 
be calculated and used for key derivation in the volatile phone memory (the 
20 RAM 17a) but erased from there when not needed at that moment, e.g., when 
the user exits from secure WAP applications. Not storing session data 
persistently in phone 1 may improve security, e.g., in the case of a stolen 
phone 1 . It also brings better usability in the case of changing the smart card 
16 from one phone 1 to another. 

25 

Additionally, for portability, the smart card 16 may store needed certificates. 
Storage of trusted root certificates (or public keys) has significance also from 
security point of view: they must not be altered - but they can be exposed 
without danger. 

30 
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Note ha, When public key encryptton based key exchange (e.g.. RSA) is used 
acco«i,ng .o .he firs, ennbodimen, of U,e inveh.ion, .here is no advantage In 
do,ng public key enc^ion on the smart card 16 when ,he pre-master secret 
would anyway be returned .o the phonel, for master secret calculation in ,he 
controller 18. 



15 



20 



25 



When client authentication is no, supported in WTLS, at the minimum the 

is supported. ,he card would be able ,o perform a signing operation based on 
a pr,va,e key (e.g.. ECDSA or RSA) s,ored in the card, or key agreement 
calculation (e.g., ECDH) based on a fixed key stored in the card. 

Second embodimf^nf 

Accoitiing ,0 a,e second embodiment, the smart card 16 is used as a tamper 
resistant device for all c^o-critica, functionality: storage of all persistent keys 
and operations using ,hese keys. Besides the operations perfonined according 
the first embodiment, the smart card 1 6 now also supports the 
calculation (ECDH key exchange) or generation (RSA key exchange) of the 
pre-master secret; calculaflon and storage of the master secret for each 
secure session; and derivation and output of key material (for MAC 
encryption keys, IV, finished check), based on the master secret 

The Phone 1 stores MAC and message encryption keys as long as they are 
cun-ently needed. These keys have a limited lifetime which may be negodated 
dunng the WTLS handshake - in the extreme case they are used for a single 
message only. The phone 1 has to delete the ftom its RAM memoiy 17a when 
the user exits from the secure WAP applications. These keys can always be 
denved anew from the master secret if needed. 
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An attacker who obtains a message encryption key can read as many 
messages as is agreed in the key refresh configuration (in the extreme case, 
a single message). An attacker who obtains a MAC key can impersonate the 
compromised party during as many messages as is agreed in the 
5 configuration (in the extreme case, a single message). 

Third embodiment. 

Certain specialized smart cards 16 may act as full-blown security engines for 
WTLS. This requires that the smart card 16 is equipped with its own 
10 processing unit and only uses the phone 1 as an interface to the cellular 
network during the secure session set up or the handshake procedure. 
Besides the operations according to the second embodiment, the smart card 
16 may store MAC and encryption keys for each secure connection; and 
perform MAC calculation/verification and encryption/decryption of messages. 

15 

Furthermore the smart card 16 may be responsible for the verification of 
certificates and the verification of digital signatures. 

Note that having message encryption in the smart card 16 does not 
20 necessarily bring any additional security because in any case the data is as 
plain text in the phone 1 . The same is true for MAC calculation: the phone 1 
must be trusted to input and output data in a correct way. The only advantage 
here would be not having to take encryption keys out of the card 16. However, 
the keys have a limited lifetime which is negotiated during the WTLS 
25 handshake - in the extreme case they are used for single message only. 
According to the third embodiment, the smart card 16 will contain al! 
algorithms so that they could be controlled by smart card issuers. 

Smartcard. 



MSfXTcin- <wo oooaassAi i :. 
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The em, smartcard" covers a card-liKe u„„ having some memo^ n^eans in 
wh,ch some secret information iden«^ing .he card hoider is sLd ; 

or ,. may be p^vided as discrete memory components as a ROM EEPRo,.' 
etc. When the user inser. the smart ca. in a more or iess p.t>,ic appZ! 
he may become authorized to perform some operations such as LI 

Subscnber identity Moduie or a S,M ca^ 16. and the structure o' this ^To, 
.mar, card is downed in the GSM specification -Speciflca^on of the SubsTribe 
dent,.y Mcduie - Mobiie Equipment ,S,M - ME) interface-, 3SM 11.1, vel 
5^5.0, pub„shed by European Teiecommunications Standards institute- ETS 



15 



Gem ,us h s recently launched a smancard. GemXp^sso RAD, based on a 

32 b R SC '"'""'"'^ "'^^ ""^ '-^"°'°Sy. This 

32 b„ RISC processor has a 32 kbyte of non volatile flash memory and 8 

tifur.he gsm""" r ""^^^ °' '--^ 

fulfih the GSM speafication this type of smartcard will be able to support the 
second and the third embodiment. PPOh tne 



Network. 



Fi9^3 schematically shows how the secure session, i.e. a secure connection 
behveen a data communication apparatus and a wlrel»« 
annarat,,, « wiratus and a Wireless communicatton 

apparatus, e.g. a cellular phone 1 Basically the WAP content and 
app ca.,ons are specified in a se, of well-known content formats based In l 
fam,l,ar WWW content fom^ats. Content is transported using a set of stand 
commun,ca„on protocols based on the WWW communication protoco a 
browser ,n the phone 1 co-ortinates the user interface and is 
analogous to a standarel web browser. 
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The wireless communication apparatus 1 is a client 1 who wants to establish 
a secure connection to a server 20,30.40. which is the data communication 
apparatus 20,20,30. The client is provided in an environment, which make it 
possible to reach a wide variety of different wireless platforms, e.g. world wide 
web (WWW). The environment provided may be referred to as Wireless 
Application Environment (WAE). This means that the client 1 may be 
supported by some kind of browser, e.g. a micro-browser, to access the 
different services connected to the server. In order to access these services 
the browser may comprise following functionalities: 

• Wireless Markup Language (WML) - a lightweight markup language, similar 
to HTML, but optimised for use in hand-held mobile terminals; 

• WMLScript - a lightweight scripting language, similar to JavaScript™; 

• Wireless Telephony Application (WTA. WTAI) - telephony services and 
programming interfaces; and 

• Content Formats - a set of well-defined data formats, including images, 
phone book records and calendar information. 

The server 20 is using a wireless application protocol, and may comprise a 
gateway 30 and an origin server 40. The gateway 30 is also a server, which 
may identify and encrypt/decrypt information between the client 1 and the 
origin server 40. This means that the gateway is provided with encoders and 
decoders (not shown). Also, the server 20 comprises different algorithms to 
make the encryption/decryption. The encryption/decryption itself may be 
performed by well-known methods, e.g. RSA. Diffie-Heilman, etc. The origin 
server 40 comprises different scripts to support WAP and data to be accessed 
by the client This data may be all kind of information, e.g. weather reports, 
news, information from stock markets, etc. 
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In order ,o access me server 20, <ro,r, ,he client 1, ,he server has .o be 
connected to e wireless com^nlcatton network 50, e.g a cellular In! 
networ. THere,ore, In accordance the present Invent J ,1 
PK.v,ded «... contact .eans (not shown, tor receiving Intonnatlon Z 
5 sepa^te un,t ,no, shown, p,ov«ed with .emory .eans. This separate 1 
may be a smart card. subsc*er Identity module (SIM,, or the like The 

(RoroX T ' ''""""^ — 

on. r ■ «°™a,ton .o 

10 :r::: ^^^^^^ °' ^° '^-^ - — 
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20 



25 



30 



access ng he wtreless communlcaUon nelwork 50 connected to the server 20 
Then the d,en, , ..nsmte an encrypted request 60 through the gateway 3o' 

algon,hm(s, the chent 1 supports. When the gateway 30 receives mis 
encryp^d reguest 60, it sends 70 the encrypted reguest to .he origin server 
40^ The ong,n sender 40 chooses a. leas, one algortU,., assocla.ed w«h a 
publ,c key and a prlva.e key, and .ransn,«s a n^ssage 80 back .o th 
gateway 30. The gateway encryp. me message and send „ 90 .o me cllen 
Th,s message 90 comprises me public key and information about which 
a^aonmm me server 20 has chosen. When me client . receives the encj;: 
message 90. comprising me public key. It will generate a master secret^e 
a™, calculates a signature based on me chosen algorimm. me public keyld 
e master secret code. Thereafter, the aient . will transmi. an encr^p.L 
re pond 65 to .he gatewa, 30. This enc^ted respond 65 compriseTh^ 
calc^ted slgnarure. When .he ga.eway 30 receives .he encrypted respol 
80, compns,ng me signature, it will decrypt the respond 75 and send I, to me 
or,g,n server 40. The origin server will calculate .he master secret code based 
on me Chosen algorithm, me signature received, and me prtvate key Finally 
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the origin server 40 sends a final message 85 to the client through the 
gateway 30. If the origin server 40 has accepted the clients 1 request 60, the 
server will be able to establish a secure connection between the origin server 
40 and the client 1 , else the connection will be ternninated. 

5 

Setting up a secure connection. 

Fig. 4 illustrates the message structure for setting up a secure connection 
according to the invention. 

10 The cryptographic parameters of the secure session are produced by the 
WTLS Handshake Protocol, which operates on top of the WTLS Record 
Layer. When a WTLS client and server first start communicating, they agree 
on a protocol version, select cryptographic algorithms, optionally authenticate 
each other, and use public-key encryption techniques to generate a shared 

1 5 secret. 

The WTLS Handshake Protocol is described Wireless Transport Layer 
Security Specification dated 30. April 1998 and is a part of the Wireless 
Application Protocol. 

.20 

The WTLS Handshake Protocol involves the following sequence of steps. 
When the a WAP session has been set between the phone 1 (the client) and 
the sen/er 20 (e.g. a bank), and the client (phone 1) wants to establish a 
secure connection he sends a client hello message 100 as his first message. 

25 This message includes a key exchange list that contains the cryptographic 
key exchange algorithms supported by the client in decreasing order of 
preference. In addition, each entry defines the certificate or public key the 
client wishes to use. The server will select one or, if no acceptable choices 
are presented, return a handshake_failure alert and close the secure 

30 connection. 
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In response to the client hello message 100 the server 20 will h 
parameters need for the session. '"^ 

10 -a.etot,3n.theZre:;r:e::rs:r'"^^^^^ 

the cryptation algorithm selected by the server 1" .h T''' ' '"'"'"^ 

-udod in the Client hello message',oO. ZZ^^^ 

Will include a so-callPri nor+ir * ^^"^ certificate message 102 

15 about issuer of the certificate th.K • ■ '"^'"^^^ '"formation 

and parameters :::::T^XZT' '^^^ 
Pehod and when the granted valid t^nSisZ-ri^^^^^ ^^"^ 
the secure connection. The lenath of L '° '^"^ 

level Of a week or more The ' '^"'^"^ ^« 

20 defined '"^ "^^^ °' -»l also have to be 



A Se^r Key Exchange Message 103 will be send as a thi^ 
--diately after the se.er certiflcate message 1 02 Th 
25 exchange message ,03 is op„onally and wiliri b th sUT;: oT 
When the server certificate messaaelO? "'^ 

a- the .ent 1 to ^^^..r:::i.:rzrr '° 

conveys cptog.phic in,om,ation to allow the .lent Jr:! T 

master secret- either an rqa ^ u. . "mmunicate the pre- 
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Exchange Suites are defined for WTLS which include new, key exchange 
algorithms, the server key exchange message will be sent if and only if the 
certificate type associated with the key exchange algorithm does not provide 
enough information for the client to exchange a pre-master secret. 

5 

Also a forth message - a Server Certificate message 104 - is optionally. This 
message 104 requests a certificate from the client, if appropriate for the 
selected cipher suite. This message will immediately follow the Server 
Certificate message 102 and Server Key Exchange message 103. 

10 

In order to inform the client that the server has ended of the Server Hello 
session, it transmits a Server Hello Done message 105. After sending this 
message 105 the server 20 will wait for a client response. This message 
indicates that the server 20 has send messages to support the key exchange. 
1 5 and that the client 20 can proceed with its phase of the key exchange. 

Upon receipt of the server hello done message the client should verify that the 
server provided a valid certificate if required and check that the server hello 
parameters are acceptable. 

20 If the server 20 asks for an Client Certificate message 107, the client 1 has to 
transmit such a after receiving a Server Hello Done message 105. This 
message is only sent if the server 20 requests a certificate. If no suitable 
certificate is available, the client must send a certificate message containing 
no certificates. If client authentication is required by the server for the 

25 handshake to continue, it may respond with a fatal handshake_failure alert. 
Client certificates are sent using the Certificate structure defined previously for 
server certificates. 

Now the phone 1 or the client starts to calculate a 20 byte random number to 
30 be used as a Master Secret 106 for the secure sessions. The master secret 
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(MAC Keys and data encryption Keys. MAC and data encryption provide da 

iL ir;::.": ~ - - - 

sec^«^ et r • " ' ^ '° ""^^"^ ^S-'' -ster 

secret 1 06 for a relatively long time. 

The processor or the controller ,8 o, the phone 1 calculates the master 

r: -^^^^ - - as : :z 

es,stan, dev,ce, ,s used for storage o, the sensitive data of the secure 
ssion, and perfonning operat^ns using that sensitive data, so that th,s daL 
never leaves the ca,.. In practice the secure information will be tran e ' d 
from the SIM card 16 to the working RAM 1 7a „f ,h» '^^"sferred 
. ^ ^™ 1 '3 °> 'he processor 18 but the-se 

; rredT ~" - - - 

According to the «rst embodiment of the invention the controller 18 performs 
the operations needed for tt,e key establishment eg DWie 
calculation or RSA enc^ption and complementarv <..Iiions ^1" 

.r:r"d:r'"'^""^*^^^"'"=^--^«^<--™^^^ 

SIM car. 16. Then the conti^ler 18 performs the key derivation based 

for MAC calculation and encwtion. The key derivation function is securitv 
™ specinc. It is typically based on some secure hash tunc:.::: 



Preferably the SIM card 16 is provided as a smart car. having its own 
prc,cessor, whereby both the opera.ons needed for performing t kl 
establishment and the key derivation based on the master secret may be 
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calculate it. would never have to leave smart card. So, the secure session 
associated with the master secret can be used during a long period 

A Client Key Exchange Message 108 will immediately follow the client 
certificate message 107, if it is sent. Otherwise it will be the first message sent 
by the client 1 after it receives the Server Hello Done message 105. With this 
message 108, a pre-master secret is set, either through direct transmission of 
the RSA-encrypted secret, or by the transmission of EC Diffie-Hellman public 
key which will allow each side to agree upon the same pre-master secret. 

Then the Master Secret 106 is encrypted by using the public key from the 
server's certificate and the agreed RSA algorithm. The result is send to the 
server 20 in an encrypted master secret message 109. 

A Certificate Verify message 110 is used to provide explicit verification of a 
client certificate. This message is only sent by the client following a client 
certificate Message 107 that has signing capability (i.e., RSA certificates). 

Both ends has to send finished messages 111 and 112 at the end of the 
handshake to verify that the key exchange and authentication processes were 
successful. 

The finished messages 111 and 112 is the first messages protected with the 
just-negotiated algorithms, keys, and secrets. Recipients of finished 
messages must verify that the contents are correct. Once a side has sent its 
Finished message and received and validated the Finished message from its 
peer, it may begin to send and receive application data 113 over the secure 
connection. It is a critical or fatal error if a finished message is not preceded 
by a change cipher spec message at the appropriate point in the handshake. 
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15 



20 

"P but not ,nclud,ng, this finished messaae Th» 
handshake_„,essages for the finished n,essage sent bv thH 
d«e.en, f™. .hat fo. .he finished message se t hX se". Z 1' 
one Which is sen. second wil, include the prior one. 

As long as a secure connection is valid application data session 113,. k 
ini.ia.ed Just by using Client HBti^ „ 1 13 may be 

""^ "^^-^ge- 100 and Server Hello n»ssages 



Acronyms. 
APDU 



20 



25 



30 



API 
CA 
CBC 
DF 
DH 
EC 
ECC 
ECDH 
ECDSA 
EF 
GSM 
IV 

MAC 

ME 

OSI 

PDU 

PRF 

SAP 



Application Protocol Data Unit 
Application Programming Interface 
Certification Authority 
Cipher Block Chaining 
Dedicated File 
Diffie-Hellman 
Elliptic Curve 

Elliptic Curve Cryptography 

Elliptic Curve Diffie-Hellman 

Elliptic Curve Digital Signature Algorithm 

Elementary File 

Global System for Mobile Communication 

Initialization Vector 

Message Authentication Code 

Management Entity 
Open System Interconnection 
Protocol Data Unit 
Pseudo-Random Function 
Service Access Point 
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SDU Service Data Unit 

SHA-1 Secure Hash Algorithm 

SIM Subscriber Identity Module 

SMS Short Message Service 

5 SSL Secure Sockets Layer 

TLS Transport Layer Security 

WAP Wireless Application Protocol 

WML Wireless Markup Language 
WMLScript Wireless Markup LanguageScript 

10 WDP Wireless Datagram Protocol 

WSP Wireless Session Protocol 

WTLS Wireless Transport Layer Security 

WTP Wireless Transaction Protocol 



15 The list above includes the acronyms used in the present text. Detailed 
discussion and explanation of the acronyms may be found in the technical 
specifications defining the Wireless Application Protocol on the Internet 
homepage for WAPFORUM, http://\AAvw.wapf orum.org/. 
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CLAIMS 

1. Method for establishing a secu. connection between a wireless 
co,nn,unicaflon appa^tus and a data communication apparatus based on 
a w,^ ess application protocol, wherein said wireless communication 
apparau,s hav.ng contact means for receiving Infomnatlon f^m a separate 
un. provided with memory means, said memo^ means complnj 
,n fom,at,on fo control the access ot the wireless communication apparatu 
through a wireless communication network connected to said data 
communication apparatus, comprising the following steps- 

- connecting said wireless communication apparatus to the separate 
unit, accessing me wireless communication network connected to said 
data communication apparatus 

- the wireless communication apparatus transmits a request to the data 
communication apparatus to establish a connection, said request 
comprising Information of which predefined algori.hm(s, the wireless 
communication apparatus supports, 

- upon reception of said request, me data communlcafion apparatus 
Choose a. least one algorithm, associated with a public key and a 
pnvate key. and transmits a message back to the wireless 
communicauon apparatus, said message comprising the public key 
and ,n,om,a.lon about which algorithm the data communica J 
apparatus has chosen, 

- upon reception of the message, comprising the public key. the wireless 
commun,cat,on apparatus generates a master secret code and 
calculates a signature based on the chosen algorithm, the public key 
and the master secret code, and transmits a respond to the data 
communication apparatus, said respond comprising the calculated 
Signature, 
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- upon reception of the respond comprising the signature, the data 
connnnunication apparatus calculates the master secret code based on 
the chosen algorithm, the signature received and the private key, and 
establish a secure connection to the wireless communication 

5 apparatus, and 

- saving said master secret code on said memory means and in the data 
communication apparatus, in order to re-establish the connection at a 
later occasion. 

10 2. A method according to claim 1, and comprising a step of saving said 
master secret under a pre-defined time. 

3. A method according to claim 1 or 2, and comprising a step of re- 
establishing the connection by 

15 - transmitting a request from the wireless communication apparatus to 
the data communication apparatus, said request comprising the 
calculated signature based on the chosen algorithm, the public key and 
the stored secret key, and 

- upon reception of the request, the data communication apparatus 
20 calculates the master secret code based on the chosen algorithm, the 

signature received, and the private key, and, establish a secure 
connection to the wireless communication apparatus. 

4. A method according to claim 1 , 2, or 3, and comprising a step of providing 
25 said memory means in a smart card. 

5. Wireless communication apparatus for establishing a secure connection to 
a data communication apparatus based on a wireless application protocol, 
said wireless communication apparatus comprising: 
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- communication means for establishing a connection to a wireless 
communication network connected to said data communication 
apparatus, 

- contact means for receiving information from a separate unit provided 
wrtt, memory means, said memory means is provided witt, infonnation 
to control ti,e access of the data communication apparatus through the 

Wireless communication network, 

- reading means for reading infomiation received from the data 
communication apparatus and the Information provided on said 
memory means, 

- random generating means, for generating a master secret code 

- pre-defined algonthm(s), to generate a signature based on said master 
secret code and a public key received from said data communication 
apparatus, which is to be used when the wireless communication 
apparatus is going to establish a secure connection to the data 
communication apparatus, and 

- said reading means comprising a secure database provided with at 
least one master secret code and/or at least one signature related to 
one or more data communication apparatus, in order to re-establish a 
secure connection to a data communication apparatus. 

6. A wireless communication apparatus according to claim 5. having its 
memory means exchangeable. 

7. An apparatus according to daim 5 or 6, said memory means is a smart 

card, 

8. An apparatus according to claim 5, 6, or 7, said memory means is a 
subscriber identity module. 
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9. Memory card for establishing a secure connection between a wireless 
communication apparatus and a data communication apparatus based on 
a wireless application protocol, arranged to be connected to said wireless 
communication apparatus having contact means for receiving information 
from the memory card, and said memory card is provided with information 
to control the access of the data communication apparatus through a 
wireless communication network. 

10. A memory card according to claim 9, further comprising encryption means 
for encrypting the master secret, which is to be used as a signature for the 
wireless communication apparatus when it is establishing a secure 
connection. 

11. A memory card according to claim 9 or 10, comprising a secure database 
provided with at least one master secret code and/or at least one signature 
related to one or more data communication apparatus, in order to re- 
establish a secure connection to a data communication apparatus. 

12. A memory card according to claim 9, 10, or 11, is provided on a smart 
card. 

13. System for establishing a secure connection when using a wireless 
application protocol, comprising: 

- a data communication apparatus based on the wireless application 
protocol, 

- a wireless communication network, connected to said data 
communication apparatus, 

- a wireless communication apparatus having contact means for 
receiving information from a separate unit provided with memory 
means, and 
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- .he separate unit provided ^„ ,He memory means, said memory 
moans, comprising infom,a,ion ,o controi ,he access of .he wireiesi 
communication apparatus through the wirai.« 

network. Wherein communication 

- .he wireiess communication apparatus is anranged to transmit a 
revues to the data communication apparatus to estahiish 
connechon, said request comprising infonnation o, which pr^eflned 
algonthmfs, the wireiess communicaton apparatus suppo J 

■ al" ITT '^^ — 'cat^n apparatus is 

a^anged to choose at least one aigomhm, associated with a public key 
and a private Key, and to .,ansm« a n^ssage back to the wireles 
communication apparatus, sa« message comprising the public key 
and ft, 3^,, ^.^^ ^^^^^^ communication 

apparatus will choose. 

upon reception o, said message, comprising the public key the 
w,re,ess communication apparatus is arranged to generate a master 
secret code, to calculate a signature based on the chosen algorithm 

the data communication aoDaratnc eow 
calculated Signature, ™ """^^^^"^ 

upon recepHon o, the .spond comprising the signature, the data 
»mmun,ca.,on apparatus is arranged to calculate the master secret 
code based on the chosen algorithm, the signature received, and the 
Private key, and, thus establish a secure connection to the\.rele! 
communication apparatus, and 

said memon, means and the data communication apparatus are 
arranged to save said master secret code, in order to re-establish the 
connection at a later occasion. 
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14. A system according to claim 13, said master secret is arranged to be 
saved under a pre-defined time. 



15. A system according to claim 13. or 14. said memory means is a smart 
card. 
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